Class: Attio::Util::WebhookSignature

Inherits:

Object

Object
Attio::Util::WebhookSignature

show all

Defined in:: lib/attio/util/webhook_signature.rb

Overview

Verifies webhook signatures from Attio to ensure authenticity

Defined Under Namespace

Classes: Handler, SignatureVerificationError

Constant Summary collapse

SIGNATURE_HEADER = HTTP header containing the webhook signature

"x-attio-signature"

TIMESTAMP_HEADER = HTTP header containing the request timestamp

"x-attio-timestamp"

TOLERANCE_SECONDS = 5 minutes

Class Method Summary collapse

.calculate_signature(payload, timestamp, secret) ⇒ Object
Calculate signature for a payload.
.extract_from_headers(headers) ⇒ Object
Extract signature from headers.
.verify(payload:, signature:, timestamp:, secret:, tolerance: TOLERANCE_SECONDS) ⇒ Object
Verify webhook signature (returns boolean).
.verify!(payload:, signature:, timestamp:, secret:, tolerance: TOLERANCE_SECONDS) ⇒ Object
Verify webhook signature (raises exception on failure).

Class Method Details

.calculate_signature(payload, timestamp, secret) ⇒ `Object`

Calculate signature for a payload

# File 'lib/attio/util/webhook_signature.rb', line 43

def calculate_signature(payload, timestamp, secret)
  # Ensure payload is a string
  payload_string = payload.is_a?(String) ? payload : JSON.generate(payload)

  # Create the signed payload
  signed_payload = "#{timestamp}.#{payload_string}"

  # Calculate HMAC
  hmac = OpenSSL::HMAC.hexdigest("SHA256", secret, signed_payload)

  # Return in the format Attio uses
  "v1=#{hmac}"
end

.extract_from_headers(headers) ⇒ `Object`

Extract signature from headers

Raises:

(SignatureVerificationError)

# File 'lib/attio/util/webhook_signature.rb', line 58

def extract_from_headers(headers)
  signature = headers[SIGNATURE_HEADER] || headers[SIGNATURE_HEADER.upcase] || headers[SIGNATURE_HEADER.tr("-", "_").upcase]
  timestamp = headers[TIMESTAMP_HEADER] || headers[TIMESTAMP_HEADER.upcase] || headers[TIMESTAMP_HEADER.tr("-", "_").upcase]

  raise SignatureVerificationError, "Missing signature header: #{SIGNATURE_HEADER}" unless signature
  raise SignatureVerificationError, "Missing timestamp header: #{TIMESTAMP_HEADER}" unless timestamp

  {
    signature: signature,
    timestamp: timestamp
  }
end

.verify(payload:, signature:, timestamp:, secret:, tolerance: TOLERANCE_SECONDS) ⇒ `Object`

Verify webhook signature (returns boolean)

# File 'lib/attio/util/webhook_signature.rb', line 35

def verify(payload:, signature:, timestamp:, secret:, tolerance: TOLERANCE_SECONDS)
  verify!(payload: payload, signature: signature, timestamp: timestamp, secret: secret, tolerance: tolerance)
  true
rescue SignatureVerificationError
  false
end

.verify!(payload:, signature:, timestamp:, secret:, tolerance: TOLERANCE_SECONDS) ⇒ `Object`

Verify webhook signature (raises exception on failure)

# File 'lib/attio/util/webhook_signature.rb', line 19

def verify!(payload:, signature:, timestamp:, secret:, tolerance: TOLERANCE_SECONDS)
  validate_inputs!(payload, signature, timestamp, secret)

  # Check timestamp to prevent replay attacks
  verify_timestamp!(timestamp, tolerance)

  # Calculate expected signature
  expected_signature = calculate_signature(payload, timestamp, secret)

  # Constant-time comparison to prevent timing attacks
  raise SignatureVerificationError, "Invalid signature" unless secure_compare(signature, expected_signature)
rescue => e
  raise SignatureVerificationError, "Webhook signature verification failed: #{e.message}"
end